git: 3327b2e94adb - main - net-mgmt/net-snmp: Add an upgrade message for running snmpd as non-root
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 02 Jul 2024 20:07:11 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/ports/commit/?id=3327b2e94adbc1fa1c6299ed04942395e5de650a
commit 3327b2e94adbc1fa1c6299ed04942395e5de650a
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-07-02 16:49:14 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-07-02 20:05:40 +0000
net-mgmt/net-snmp: Add an upgrade message for running snmpd as non-root
Explain that snmpd now drops privileges by default, and describe how one
can configure snmpd to run without any root privileges at all.
Approved by: zi
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
---
net-mgmt/net-snmp/Makefile | 2 +-
net-mgmt/net-snmp/files/pkg-message.in | 44 ++++++++++++++++++++++++++++++++++
2 files changed, 45 insertions(+), 1 deletion(-)
diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile
index 51b905b330b2..e6b4d2ba83d9 100644
--- a/net-mgmt/net-snmp/Makefile
+++ b/net-mgmt/net-snmp/Makefile
@@ -1,7 +1,7 @@
PORTNAME= snmp
PORTVERSION= 5.9.4
PORTEPOCH= 1
-PORTREVISION= 4
+PORTREVISION= 5
CATEGORIES= net-mgmt
MASTER_SITES= SF/net-${PORTNAME}/net-${PORTNAME}/${PORTVERSION} \
ZI
diff --git a/net-mgmt/net-snmp/files/pkg-message.in b/net-mgmt/net-snmp/files/pkg-message.in
index ca4724c83e32..aec6be19f18c 100644
--- a/net-mgmt/net-snmp/files/pkg-message.in
+++ b/net-mgmt/net-snmp/files/pkg-message.in
@@ -30,4 +30,48 @@
BATCH="yes"
EOM
}
+{ type: upgrade
+ message: <<EOM
+snmpd now drops privileges by default after initialization is completed.
+Ensure that any extension commands defined in your snmpd.conf can be executed
+by the snmpd user.
+
+It is possible to start and run snmpd entirely as a non-root user with the
+following steps:
+
+1. Add the following lines to /etc/rc.conf:
+
+ snmpd_user="snmpd"
+ snmpd_group="snmpd"
+ snmpd_pidfile="/var/net-snmp/snmpd.pid"
+
+2. Configure the mac_portacl(4) kernel module:
+
+ a. Load mac_portacl.ko at boot time by adding the following line to
+ /etc/rc.conf:
+
+ kld_list="mac_portacl"
+
+ b. Configure the following sysctls in sysctl.conf(5):
+
+ net.inet.ip.portrange.reservedhigh=0
+ security.mac.portacl.rules=gid:344:udp:161,gid:344:tcp:161,gid:344:tcp:199,gid:344:tcp:705
+
+ This allows snmpd to bind to these privileged ports without holding
+ special privileges.
+
+3. Make sure that the snmpd user has read/write or read-only access to the
+ following:
+
+ RW - /var/log/snmpd.log
+ RW - /var/net-snmp/*
+ RO - /usr/local/share/snmp/*
+
+ Note that snmpd creates the /var/net-snmp directory upon its initial
+ startup, and this cannot be done by the snmpd user.
+
+4. Ensure that any and all extension commands defined in snmpd.conf can be
+ executed by the snmpd user.
+EOM
+}
]